Anomaly detection has been applied to control systems to increase cyber-physical security and optimize operations of a control system. The principles typically used in anomaly detection can include identifying normal behavior and a threshold selection procedure for identifying anomalous behavior. Usually, the challenge is to develop a method that is able to detect the abnormalities specific to an industry's needs.
An anomaly such as a cyber-physical attack may be undetectable from tampered measurements if there is a set of normal operating conditions consistent with the tampered measurements. Conventional cyber-physical attack detection approaches are centralized implemented.
In cyber-physical attack security applications one of the major problems is distinguishing between normal circumstance and “anomalous” or “abnormal” circumstances. For example, malfunction mechanical devices can be viewed as abnormal modifications to normal programs. The detection of anomalous activities is a difficult problem in which the detection of anomalous activities is disadvantaged by not having appropriate data and/or because of the variety of different activities that need to be monitored. Additionally, protective measures based on established conventional practices are vulnerable to activities designed specifically to undermine these assumptions.
Therefore, there is a need for developing more advanced distributed methods for real-time estimation and detection of anomalies in control systems.